News
Funnel Builder Plugin Flaw Lets Hackers Steal Credit Cards
A critical vulnerability in a popular WordPress plugin is being actively exploited right now, and if you run a WooCommerce store, this is urgent. Hackers are silently slipping payment card-stealing code into checkout pages, and thousands of unsuspecting online shoppers could be handing over their financial details without a single warning sign.
The Plugin Bug Putting 40,000 Websites at Risk
The Funnel Builder plugin by FunnelKit is one of the most widely used tools for WordPress store owners who want to build custom WooCommerce checkout experiences. With features like one-click upsells, landing page builders, and conversion optimization tools, it powers the checkout flows of more than 40,000 active websites worldwide. But a newly discovered critical flaw in the plugin is now being actively weaponized in the wild. **The vulnerability sits inside an unprotected, publicly accessible checkout endpoint that requires absolutely no authentication to reach.** Any attacker from anywhere in the world can hit that endpoint without a username or password, giving them direct access to modify the plugin’s global settings. The flaw affects every version of Funnel Builder released before version 3.15.0.3. No official CVE identifier has been assigned to this flaw yet. That matters because many site owners depend on automated vulnerability scanners that trigger alerts based on CVE numbers. Without one, countless sites running the older version may not receive any automatic warning at all.
How the Attack Actually Works
The attack chain here is deliberate, well-planned, and designed to stay invisible for as long as possible. Once an attacker reaches the unprotected endpoint, they inject malicious JavaScript directly into the plugin’s “External Scripts” setting. From that point, the code runs automatically on every checkout page load across the entire infected site. **The payload is disguised as a fake Google Tag Manager or Google Analytics script, which makes it look perfectly legitimate at first glance.** The injected script is pulled from analytics-reports[.]com using a filename called “jquery-lib.js.” Both the domain name and the file name are carefully chosen to mimic the kind of real analytics and JavaScript library calls that web developers use every single day. Once that fake script loads, it opens a WebSocket connection to an external server at wss://protect-wss[.]com/ws. A WebSocket is essentially a live, two-way communication channel between a browser and a remote server. Through that open channel, the attacker’s server delivers a customized payment card skimmer directly to the shopper’s browser in real time. This live delivery method is what makes the attack particularly hard to catch. The skimmer code does not have to sit permanently on the infected site where a security scanner might spot it. It is pushed fresh through the live connection each time a real shopper reaches the checkout page.
What Shoppers Are Actually Losing at Checkout
The skimmer has one focused purpose: silently capture every piece of sensitive payment data a shopper types into the checkout form and transmit it back to the attacker before the purchase even processes. Here is what is being harvested on every infected checkout page:
- Full credit card numbers
- CVV security codes
- Billing names and addresses
- Other personal customer details entered at checkout
**Stolen card data like this typically surfaces on dark web carding markets within hours of being captured, sold individually or in bulk to other cybercriminals.** Carding markets are underground platforms where stolen payment details are bought and used for fraudulent online transactions. A fresh batch of card data from an active e-commerce store can fetch a significant price. Victims often do not realize their card was stolen until fraudulent charges appear days later. E-commerce security firm Sansec was the first to detect and document this active exploitation campaign. The firm, which specializes in tracking malicious activity on online stores, identified the suspicious script patterns being injected across WooCommerce sites running the vulnerable Funnel Builder versions.
How to Fix This and Protect Your Store Right Now
FunnelKit moved quickly once the issue was flagged. The patched version, Funnel Builder 3.15.0.3, was released on May 14, 2026. The company confirmed the attack in a security advisory, stating that they “identified an issue that allowed bad actors to inject scripts.” If you run a WordPress site using Funnel Builder, here is the action plan:
| Step | Action | Where to Do It |
|---|---|---|
| 1 | Update the plugin immediately | WordPress Dashboard > Plugins |
| 2 | Check for rogue injected scripts | Settings > Checkout > External Scripts |
| 3 | Test your live checkout page | Visit your store’s checkout directly |
| 4 | Run a full site malware scan | Use a trusted WordPress security plugin |
**If you find any unfamiliar or suspicious script inside the External Scripts section, remove it immediately before doing anything else.** Even if nothing looks obviously wrong, any site that ran an older version of the plugin in recent weeks should be treated as potentially compromised. The nature of this attack means that malicious scripts can be subtle and easy to overlook during a quick visual check. A thorough audit of your checkout settings is not optional right now, it is essential. The missing CVE identifier adds one more layer of concern. Store owners who rely on plugin vulnerability alert services tied to CVE databases may never receive a notification about this specific flaw, leaving their sites exposed with no automated nudge to update. The Funnel Builder exploit is a sharp reminder of how quickly a single unpatched plugin can silently turn a trusted online store into a financial data harvesting tool. Over 40,000 websites were running this plugin, and real shoppers are at real risk on every checkout page that has not yet been updated. FunnelKit has done its part by releasing the patch fast. The rest now falls entirely on site owners. Update to version 3.15.0.3 today, audit your external scripts, and do not wait for a security alert that may never come. Your customers trusted you with their card details, and right now, acting fast is the only way to protect that trust. What do you think about the growing wave of payment skimmer attacks targeting WordPress stores? Drop your thoughts in the comments below and share this with any WooCommerce store owner you know.
Anna Wintour’s Daughter Splits After Met Gala Red Carpet
Funnel Builder Plugin Flaw Lets Hackers Steal Credit Cards
Dua Lipa Drops $15M Lawsuit Bomb on Samsung
Solana Rebounds: Is SOL Worth Buying in 2026?
West Pharma Cyberattack: Hackers Steal Data, Lock Systems
Shiba Inu Coin Supply Problems Kill Hopes for Higher Prices
Claude.ai Chats Hijacked to Push Dangerous Mac Malware
Billie Eilish Shares Sweet Justin Bieber Throwback Photos
Circle Stock Soars 19% as USDC Volume Triples in Q1
Owen Cooper Makes BAFTA History With a Beatles Speech
News1 year agoTaiwanese Companies Targeted in Phishing Campaign Using Winos 4.0 Malware
-
News1 year agoJustin Baldoni Hits Back at Ryan Reynolds, Calling Him a “Co-Conspirator” in Blake Lively Legal Battle
- News1 year ago
Machine Gun Kelly Resurfaces at Coachella in Dazzling Style After Welcoming Baby Girl with Megan Fox
